Think about how this device might work: A high security implementation might works like this:

It has a private key burned into its firmware.

It encrypts the current time (rounded to the nearest 30 seconds) with the private key.

Amazon has on file a copy of the corresponding non-secret public key.

Amazon then takes the encrypted times, decrypts it with your public key and sees if it matches the current time.

The advantages include:

If someone snoops on your conversation, the password that they steal will not be of any use in future.

If someone breaks into Amazon, all they can steal is your public key which is non even a secret. It is useless for impersonating you.

If someone breaks into your computer, your private key is not there in any form. It lives only inside the token and cannot be retrieved.

A low security implementation might work like this:

To get it started, Amazon sends it a random number over and https: link.

The fob encrypts the current time (rounded to the nearest 30 seconds) with that seed.

Amazon has on file a copy of the corresponding seed.

Amazon then takes current time on its server, encrypts it to see if it matches the value just sent from the fob.

The weakness of this system, is if hackers steal the seeds, the whole system is compromised. The other weakness is that every website you use this device on, has to know its secret seed. That increase the odds of the hackers getting access to everything.

Manufacturers are notoriously close-lipped about just how their devices work. They don’t want you to crack them or be aware of their vulnerabilities to help protect yourself. However, they say they implement OATH standards, so that may contain a clue.

It is too bad that you cannot use this wonderful device on websites other than Amazan AWS, such as your bank.

A similar device could be invented that did not require you to key the generated password. You would insert it into a USB port. It would not even need a clock. Amazon could send a random string to encrypt. However, that hypothetical certificate-based device would need a special browser adaptation.